Issue with ACL permissions and SMB shares

M

msokol

Dabbler
Joined
Jan 5, 2023
Messages
10
I deployed several Truenas systems, one for primary storage and one as a backup server. Replication is configured and works well. However, I have some weird problems with permissions, particularly on the backup server. This is weird since the same version of Truenas Scale is installed on the main server and no error occurs whatsoever.

Once owner@ and group@ are configured everything is fine:
1672952490759.png


But once I add the third rule which prohibits any sort of access to everyone@ all previous permissions drop

1672952592586.png


I noticed it when I lost access to this SMB share.

As a solution I applied to everyone@ special permission when I unmarked all options. But it was a solution until I run a test replication where I had applied "deny full access" to everyone@ (note that the corresponding SMB share from the main server works as expected despite everyone@ has no access as well). Backup server is installed from scratch and at the monent is not populated with data, therefore I am free to reconfigure it.

Does anyone has any idea?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
But it was a solution until I run a test replication where I had applied "deny full access" to everyone@ (note that the corresponding SMB share from the main server works as expected despite everyone@ has no access as well).
Click to expand...

This is working precisely as designed. Denying access to everyone denies access to the owner and group as well. C.F. RFC5661.

6.2.1.5.1. Discussion of EVERYONE@

It is important to note that "EVERYONE@" is not equivalent to the
UNIX "other" entity. This is because, by definition, UNIX "other"
does not include the owner or owning group of a file. "EVERYONE@"
means literally everyone, including the owner or owning group.
Click to expand...
I believe this is also how ACLs work in Windows.
 
Last edited:
M

msokol

Dabbler
Joined
Jan 5, 2023
Messages
10
Thank you for the clarification. Once I swapped "deny" access to "allow" without ticking any checkbox, I could successfully open the corresponding backup folder. I had a feeling that "everyone" is different from "others" in Linux. Still, there are a few questions:

  1. Why it did not break any permissions in my main system and I had full access to my data?
  2. What is proper ACL configuration with no access to anyone else which is not listed in the permission list? Normally this list contains owner@ and group@. I would like to block any access to others.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
msokol said:
Thank you for the clarification. Once I swapped "deny" access to "allow" without ticking any checkbox, I could successfully open the corresponding backup folder. I had a feeling that "everyone" is different from "others" in Linux. Still, there are a few questions:

  1. Why it did not break any permissions in my main system and I had full access to my data?
  2. What is proper ACL configuration with no access to anyone else which is not listed in the permission list? Normally this list contains owner@ and group@. I would like to block any access to others.
Click to expand...
Remove the everyone@ entry.
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Issue with ACL permissions and SMB shares"

Similar threads

S
SMB permissions with Active Directory integration
Replies
0
Views
6K
sysadmin97
S
A
SMB Access problems
Replies
15
Views
6K
homer27081990
homer27081990
R
Discriminate SMB Permissions?
Replies
1
Views
1K
RoysTechProjects
R
P
Scale ACL SMB Help
Replies
2
Views
1K
indivision
indivision
M
ACL Permissions on SMB Share new items issue
2
Replies
28
Views
30K
Damncold
D
Top